The Mirai botnet has become infamous in short order by executing large DDoS attacks on KrebsOnSecurity and Dyn a little over a month apart. The attack on Dyn Managed DNS infrastructure sent ripples across the internet causing service disruptions on some of the most popular sites like Twitter, Spotify and the New York Times. Our network also experienced Mirai attacks in mid-August, and we’ve had a chance to dig into the leaked source code to understand it better.
We’ve discovered that Mirai malware infects IoT devices and then uses them as a launch platform to perform DDoS attacks. Mirai scans IP addresses across the internet to find unsecured devices and is programmed to guess their login credentials. It’s also predatory—it can even remove and replace malware previously installed on a device. Mirai is particularly fond of IP cameras, routers and DVRs.
One of the results of our research is the development of a scanner that can check whether one or more devices on your network is infected by or vulnerable to the Mirai malware. You can find the beta of the Mirai Scanner here.
When you click on “Scan My Network Now” the scanner will discover your public IP address—this is the IP address typically assigned to your internet gateway device or cable modem by your ISP. This device often functions as a router and Wi-Fi access point connecting other devices on your network to the internet. The Mirai Scanner will check your gateway from outside your network to see if there are any remote access ports that are vulnerable to attack by Mirai. The Mirai Scanner can only scan your public IP address.
When you first run a scan, you may get the following message because a device being scanned is infected with Mirai or because there are no vulnerable ports on your devices—most likely the latter. To be sure, restart any IoT devices on your network, like CCTV cameras or DVRs. The reason for the device restart is to clear Mirai’s ability to block ports on an infected device to prevent a scan. Wait until the devices boot up and rerun the scan. Restarting your IoT devices will disable Mirai’s blocking capability allowing you to get a valid scan. If you re-scan and get the same message again, your remote access ports are closed such that Mirai cannot invade any of your devices.
If the scanner accesses your network, it checks to see if any devices on your network can be remotely accessed using one of the passwords in Mirai’s dictionary.
If the scanner finds a vulnerability you will get a message like the following:
Receiving this message means that the scanner has found one or more devices on your network with a vulnerability to the Mirai malware—not necessarily a Mirai infection.
If the scanner finds a vulnerable device, you should do the following:
- Log in to each IoT device on your network and change the password to a strong password.
- Scan your network again to confirm that the vulnerability has been resolved.
Some Mirai Scanner exceptions:
- If your gateway/router has NAT (network address translation) enabled, Mirai Scanner will only scan devices configured with IP addresses that have port forwarding enabled for ports 22/23.
- Mirai Scanner will not scan devices on your network that have a dedicated IP address different from the computer you use to access the Mirai Scanner website.
For information about how to configure and manage security settings on devices connected to your network, refer to the documentation provided with the device or check the device manufacturer’s website.
We’d like to hear what you think after you’ve tried the scanner. Leave us a comment.